Investigating Issues in Mobile Network (In) Security

Modern Applied Science

November, 2008

Investigating Issues in Mobile Network (In)Security Johnnes Arreymbi School of Computing and Technology University of East London London- UK E-mail: [email protected] Abstract The provision of adaptive content to mobile wireless devices has increasingly become very pertinent. Mobile smart phones and other wireless device usage is increasing daily with ground breaking technological developments – in design, style, content and micro-chips performance. Transmission of data in such environments requires absolute security to protect the individual and content. Any interference and interceptions in the communication process would bring about reduce system usage and development benefits. And with the rapid development in global communication networks, the threat of security and in particular that of cellular telecommunication systems is real and highly dangerous. This paper presents Investigating Issues to evaluate the data security protection accorded by the global telecommunication systems against interception, using encryption, authentication, and ciphering. It will also attempt to discuss several issues of mobile wireless (in)security. In so doing, some security flaws in these approaches will be examined and some suggestions made. Keywords: Cellular communication, Data protection, Mobile Wireless networks, Multimedia content, Security, Encryption, Authentication, Ciphering, Interception, Identity Management (IDM) 1. Introduction Mobile computing is pervading our society and lifestyles. In most cases, connecting to other devices in a mobile environment requires wireless networks. Connectivity could be done via Bluetooth, Infrared, RF Signals, GSM and satellite etc and depending on the nature, purpose and distance of the systems used. The delivery of contents of the multimedia packages – conversation (audio), text, graphics, colour, and video messages - delivered may be very important and confidential. In fact, mobile computing has contributed in increasing productivity and operational efficiency on individuals and businesses, some with highly sensitive and confidential information that needs to be protected for competitive advantage. However, the flexibility and ubiquity of the mobile - wireless system comes at a price – that of (in)security. Network (in)security is of paramount concern to any wireless or mobile network provider and practitioner. The fact that radio signals travel through air space, they can easily be intercepted with the right equipments. The mobility of such equipments makes them difficult to trace. Increasingly, hackers and scammers are scanning airwaves and siphoning off cellular ID numbers for improper use, manipulative scams, and sometimes even jamming the airwaves with denial-of-service (DOS) attacks, reducing through-puts and making it difficult for services to function. Nowadays, even pager messages are no longer safe. The security of a mobile network such as GSM includes multiple technologies that attempt to resolve ID authentication, integrity and other identification problems. Some come in the form of firewalls, authentication servers, biometrics, cryptography, intrusion detection, virus protection and Virtual Private Networks.

3

Vol. 2, No. 6

Modern Applied Science

Nowadays, millions of people use mobile phones over radio links for communication any time, any where, for business and /or convenience. The Global System for Mobile communication or Group Special Mobile (GSM) platform which was formed in 1982 [1] is a hugely successful wireless technology and an unprecedented invention of global achievement. Some research showed that at the end of Jan 2004 [2] there were over 1 billion GSM subscribers across more than 200 countries. In Japan alone, there were more than 87million phone subscribers, with internet-enabled phones accounting for 80% of the subscriptions in 2005. Today the world-wide figures are increasing even more, especially in Africa, Asia and other advancing economies where mobile communication uptake has increased by approximately 65% [17, 18]. The passage of time has moved wireless telecommunication some steps further. In the older analogue-based cellular telephone systems such as the Advanced Mobile Phone System (AMPS) and the Total Access Communication System (TACS) [3], cellular drop rate, interference and interception rate and general fraud on such systems were extensive and very rampant. It was very simple and easy for a radio hobbyist to tune in and hear mobile telephone conversations. Mostly, without any encryption [4], the voice and user data of the subscriber was in pure raw form and sent over the networks. SIM card cloning too was very easy and they together posed dangerous threat to the users. Such fatal flaws in the mobile phone and wireless technologies were all prevalent [5]. To prevent such flaws in mobile communication and to make mobile phone traffic more secure, GSM (Global System for Mobile communication or Group Special Mobile) became an apparent and relevant solution. GSM operates in the 900MHz, 1800MHz, or 1900 MHz frequency bands, which in essence provide a secure and confidential channel of communication. The prevalence of GSM technologies, together with the introduction of multimedia content delivery, provided means for users to begin to enjoy some of the benefits of having stable, continuous, private and secure environments for communication – audio, SMS, MMS services - through GSM network systems [18]. But how safe and secure is the GSM technology? Can it really protect vitally important information? In this paper we would provide a brief overview of GSM, its security and encryption technologies. Furthermore, we will attempt to provide a model for GSM security optimization. The third section will look at some GSM flaws and provide possible measures to overcome them. The final section gives an evaluative critique and conclusion to this paper. 2. Security Techniques used in Mobile Systems 2.1 Encryption: All cellular communication operates using air waves which can easily be intercepted with easily available suitable eavesdropping receivers. Considering this issue, the GSM technology integrated some security controls [6] in order to make the cellular system as secure as a fixed line phone. The system offers some level of physical security such that physical access is needed to the phone line for listening-in to be possible. This kind of control measures provides better security for conversation between two mobile phone users. According to GSM specification 02.09 [6], the security functions put in place are: authentication of a user, data and signaling confidentiality and Confidentiality of a user. Authentication of a user means that a mobile phone needs to prove that it has access to a particular network account with the operator. In other words, a person is not allowed to personate certain subscriber to use that person’s account. This function proves very important in protecting all subscribers’ cellular air-time fee and other benefits. Data and signaling confidentiality can be more appropriately understood. This function is to make sure that all signaling and user data, such as text messaging and speech are protected against interception by means of ciphering. Meanwhile confidentiality of a user function keeps the unique International Mobile Subscriber Identity (IMSI) and prevents it from being disclosed and displayed in plaintext to avoid leaving tracks of the user. It also means that intruders cannot easily track down certain subscriber of the GSM system. Besides some of the above security functions, there are other functions that prove to make the mobile phone more secured. The most commonly known protective system is that of the PIN which GSM system provides. In this kind of security control, if a user fails to provide a valid PIN number, the system would not allow the user to continue to perform any other authentication functions. And, in order to distribute the authentication and ciphering information throughout the network, the root key of all ciphering key generation and authentication, Ki [4] have to be distributed by another form known as vectors. This too adds another security level in the proposed security model as would be highlighted below and aims to improve the security of GSM technology In managing mobile access to network system resources, it is very essential to enforce security measures. The system should be able to know who is accessing resources at what point and know the purpose of each access. Controlling access to systems is best illustrated in the AAA framework: Authentication, Authorisation and Accounting [20, 21]. Authentication is the ability to identify network or system users through the validation of a set of assigned credentials such as user identification number and passwords. Authorisation defines the ability of a specific user to perform certain tasks, such as creating, modifying and deleting, after authentication has taken place. And, Accounting allows it to measure and record the consumption of network or system resources. This framework adapts well in a mobile or wireless environment. In this paper we will concern more on Authentication issues. 4

Modern Applied Science

November, 2008

The most challenging amongst the three issues in the AAA framework is authentication. The complexity of attacks nowadays has pushed the network society to build up strong authentication techniques. Rather than only relying on the inadequate use of usernames and passwords, different and efficient technologies have been developed for improve security, such as RADIUS (Remote Authentication Dial up User Service), Token-based Strong authentication, 802.11i Security, Secure Socket Layer (SSL), Virtual Private Networks (VPN) and Media Access Control (MAC) Filtering. In most Instances, GSM networks utilises encryption for three purposes: authentication, encryption and key generation [7], which would be discussed later. 2.2 Authentication: Authentication service within a system is concerned with assuring that a communication is authentic. It can prohibit an unauthorized user claiming to be a bonafide mobile subscriber logging into the network [6]. In order to ascertain the position, some kind of challenge needs to be issued by the network, for which the mobile station (MS) such as mobile phone, must respond to correctly. And if all fails, the unauthorized user therefore fails to personate the bonafide subscriber because of the challenge provided in connecting to the network. Others techniques, such as the SIM card, A3 Algorithm IMSI and Ki provide certain levels of security as would be discussed. The Subscriber Identity Module (SIM) card is a small smartcard with embedded micro-chip which is inserted into the GSM phone and provides the appropriate details of an account. The SIM card contains information which is necessary to gain access to a particular account. Some of which are: International Mobile Subscriber Identity (IMSI), and Individual Subscriber Authentication Key (Ki) etc. The IMSI is a sequence of 15-digit code, used to identify an individual GSM mobile station (MS) to a GSM network. It is like an ID card of a person. The format of IMEI is AABBBB--CC-DDDDDD-E and it denotes basic coded identifier information as shown in the table 1 below. Ki is utilised as a highly protected secret key shared between the MS and the Home Location Register (HLR) of the subscriber's home network [10]. It is a randomly generated 128-bit number and all keys and challenges used in the GSM system are generated according to Ki. Also used in authentication is the A3 algorithm. The figure 2 below identifies the A3 algorithm procedure. In this procedure, two 128-bit input codes are calculated by A3 algorithm and then a 32-bit output code is generated. However, A3 algorithm does not refer to a particular algorithm; it is rather the algorithm the operator has chosen to be implemented for authentication. The most common implementations for A3 are COMP128. The authentication procedure can simply be described as: mobile phone provides the Ki to network and the latter could verify the Ki to prove the mobile phone is not the impersonated one. But, this is highly insecure because the Ki could be intercepted by an eavesdropper. If Ki is lost, the authentication will disappear because the eavesdropper will personate that subscriber by providing the same Ki. In such situations, the GSM technology provides a better method to resolve such a problem. The network generates a 128-bit random number, RAND [10] which is 128-bit random challenge generated by the Home Location Register (HLR). It then uses the A3 algorithm (see figure 2) to generate an authentication sign, SRES [10] which is the 32-bit Signed Response (SRES) generated by the MS and the Mobile Services Switching Center. After the generation of SRES, the network then sends the RAND to the phone. The phone respond by doing the same, generating a 32-bit SRES and then transmitting the SRES back to the network for comparison. Authentication is complete and becomes successful only when the two values of SRES are the same. This enables the subscriber to then join the network. If authentication fails the first time, the network may choose to repeat the authentication procedure with the IMSI. If that too fails, the network releases the radio connection. The mobile then considers that SIM to be invalid. Therefore, the protection of Ki is provided. And just in case an eavesdropper manages to intercept the RAND, no relevant information can be retrieved by listening to the channel because, each time, a new RAND number is generated. 2.3 Ciphering: It is vitally important that providers keep user data and signaling data secure from interception by ciphering. The GSM system uses symmetric cryptography. And, in symmetric cryptography, the data is encrypted using an algorithm and the ciphering key. In GSM systems, the ciphering key is named Kc. Kc is the 64-bit ciphering key [10] and used as a Session Key for encryption of the air channel. Kc is generated by the MS from the RAND presented by the GSM network and the Ki from the SIM utilising the A8 algorithm. Like symmetric cryptography, this same Kc is needed by the decryption algorithm to decrypt the data. The idea is that the Kc should only be known by the phone and the network. If this is the case, the data is meaningless to anyone intercepting it. As earlier mentioned, the A8 algorithm uses the RAND and Ki as input to generate a 64-bit ciphering key (see figure 3) Kc which is then stored in the SIM and readable by the phone [11]. Like the SRES, the network also generates the Kc and distributes it to the base station (BTS) handling the connection. The A5 algorithm uses the 64-bit cipher key [12] derived from the 128-bit authentication key by the A8 algorithm in the SIM card to perform the encryption. The A5 algorithm is also 'seeded' by the value COUNT [6], which is sequentially 5

Vol. 2, No. 6

Modern Applied Science

applied to each 4.615ms GSM frame (see figure 4). Currently there are 3 algorithms defined for ciphering algorithms – A5/1, A5/2 and A5/3 [6]. A5/1 and A5/2 were the original algorithms defined by the GSM standard. A5/2 was a deliberate weakening of the algorithm for certain export regions, where A5/1 is used. In countries such as the US, UK and Australia, A5/3 was added in 2002 and is based on the open Kasumi algorithm defined by 3GPP. The output of A5 algorithm is the cipher text which is very secure and cannot be easily decrypted by eavesdroppers. 2.4 Anonymity: According to Srinivas [13], when a new GSM subscriber switches on his/her phone for the first time, its International Mobile Subscriber Identity (IMSI), for example real identity, is used and a Temporary Mobile Subscriber Identity (TMSI) is issued to the subscriber, which from then on is always used to identify the user. Anonymity is a process set to make it difficult to track and trace a mobile phone user of the system. In this process, once ciphering has commenced an initial TMSI is allocated. The VLR controlling the LA in which the TMSI is valid maintains a mapping between the TMSI and IMSI such that, the new VLR (if the MS moves into a new VLR area) can ask the old VLR who the TMSI (which is not valid in the new VLR) belongs to (See figure 5, 6) [6]. The use of TMSI prevents the recognition of a GSM user by the potential eavesdropper. To track a GSM user via the TMSI, an eavesdropper must intercept the GSM network communication where the TMSI was initially negotiated. In addition, because the TMSI is frequently changed, the eavesdropper must intercept each additional TMSI changing session. The TMSI is updated at least during every location update procedure such as when the phone changes location area (LA) or after a set period of time. The TMSI can also be changed at any time by the network. The new TMSI is sent in ciphered mode whenever possible so an attacker cannot maintain a mapping between an old TMSI and a new one [6]. The TMSI is valid in the location area in which it was issued. For communications outside the location area, the Location Area Identification (LAI) [14] is necessary in addition to the TMSI 2.5 Using authentication vectors: In the GSM communications, the AuC (Authentication Centre), which is a part of HLR (Home Location Register), as it is well known, stores the SRES, Kc and RAND for every particular subscriber. And if the subscriber is roaming, the foreign GSM database known as VLR (Visitor Location Register) would learn and source the Ki from HLR [13]. This process is very insecure because the Ki transfers directly from HLR to VLR and can be intercepted. However, the HLR distributes authentication vectors [6], including a valid SRES, Kc and RAND for the particular IMSI, which the VLR has specified. So therefore, the transmitted data are not Kis but other authentication and ciphering information, and given protection to the Ki. 2.6 SIM security: Most SIM card systems are often protected by an optional PIN code which resembles that of an ATM PIN card system. A set of numbers is keyed on the phone's keypad by the user, and the PIN is passed to the SIM for verification. If the PIN code is incorrect, and does not match that stored by the SIM, the result will be invalid code and the system will fail to perform authentication functions [8] unless the correct PIN is entered. Furthermore, when given the chance, if a user inputs the wrong PIN code three (3) times, the system will automatically lock out and block the user from using the system again. In such instance, a PIN Unlock called PUK is required to unlock the system before any use, if the PUK is correct. And incorrectly entering the PUK code 10 times, the SIM card would be permanently blocked and refusing local access to privileged information making the SIM useless. 3. GSM loopholes and possible solutions: The security algorithms discussed above tends to provide the global communication network with adequate security, which may seem absolute protection. However, when reality checks in, and with the increasing commonly available technologies around today, the networks have become increasingly vulnerable and more complicated to protect. As a result many are finding bigger loopholes in the GSM security system. Recently, some of the system loopholes have gradually been resolved by specialists, in line with the improved GSM specifications. Other new technologies such as GSM 1800, HSCSD, GPRS and EDGE have been added to enhance GSM system [3]. And, the 3rd generation (3G) technologies such as UMTS [6] have also been used to improve the security in GSM. The next section will explore some of the network security issues. 3.1 The UMTS technology: The authentication procedure in the GSM network systems does not require the network to prove its knowledge of the Ki or any other authentication context to the mobile phone. Therefore, it is possible for an attacker to setup an impersonated mobile base station with the same Mobile Network Code as the user's network. And with this, all calls or text messages sent by the subscriber could easily be intercepted. The Universal Mobile Telecommunications System (UMTS) is the world's choice for 3rd Generation wireless service delivery [15], as defined by the International Telecommunications Union (ITU). The UMTS technology makes it near impossible for an attacker to mimic or imitate 6

Modern Applied Science

November, 2008

the network in terms of a 2-way authentication procedure. The procedure for which the mobile authenticates itself to the network is almost the same as GSM. But in UMTS, the network also sends an Authentication Token known as AUTN along with the RAND. The AUTN contains the MAC code, which works much like the GSM SRES but in the opposite direction. Therefore, if the MAC sent by the network does not match the MAC calculated by the SIM, the phone respond by sending an authentication reject message to the network and the connection is then terminated. 3.2 Using the A3/A8 Algorithms: As earlier discussed, the common implementation of the A3 and A8 algorithms is concerned with a single algorithm COMP128; which generates the 64-bit Kc and the 32-bit SRES from the 128-bit RAND and the 128-bit Ki input. This algorithm has been found to be insecure, because, as it is, the RANDs can provide enough information for an attacker to determine the Ki in significantly less than the ideal number of attempts. Earlier attacks based on repeated 2R attacks [6] could typically crack a SIM in approximately 217 RANDs. Increasingly, and even more so, some users have found it useful to 'clone' several of their SIMs [16] onto a single programmable smartcard with easily available technology. The common implementation of A3/A8, COMP128 has another flaw, in that, when generating the 64-bit Kc, it always sets the least significant 10 bits of the Kc to 0 [3] this is almost certainly a deliberate weakening. This effectively reduces the strength of the data ciphering algorithm to 54 bits, regardless of which ciphering algorithm is used. Therefore, faced with the above insecurity, the newer implementations of A3/A8 have been introduced such as COMP128-2 and COMP128-3 [6] to help alleviate the problems. So far, these algorithms have held up reasonably well, however, they are still a mystery as they are developed in secret. COMP128-2 still has the deliberate 10-bit weakening of the ciphering Kc however. COMP128-3 is the same basic algorithm without this weakening, such as a truly 64-bit Kc. In fact, the new algorithms of COMP128-2 and COMP128-3 have managed to stop SIM cloning somehow and have also made the serious over-the-air Ki extraction difficult and unfeasible, even if they do not approach the ideal strength of 2128. 3.3 Exploring A5/3, A5/1 and A5/2 algorithms: The A5/1 output is based on the modulo-2 which is performed using an exclusive OR known as xor operation summed output of 3 LFSRs whose clock inputs are controlled by a majority function of certain bits in each LFSR. However, the attack exploits flaws [15] in the algorithm and A5/1 could be cracked in less than 1 second on a typical PC. A5/2 is a deliberately weakened version of A5/1, which has been demonstrated to be also flawed. A5/2 can be cracked on the order of about 216, and thus is even weaker than A5/1. GSM supports up to 7 different algorithms for A5 ciphering. Until recently, only the A5/1 and A5/2 algorithms were used. In 2002, GSM added a much stronger algorithm A5/3 which is based on the Kasumi core which is the core encryption algorithm for UMTS [6]. However, only few networks and handsets support this algorithm currently. 4. Conclusion: The security measures used in the global telecommunication systems such as encryption, authentication, ciphering and anonymity, attempt to provide the mobile phone users some privacy and anonymity, in addition to protecting the system from the fraudulent use. However, we have also seen some weaknesses in the security of the system. There can be no perfect security for any system and this paper does not attempt to provide the silver bullet answer. Although some new measures by which the security of GSM have been suggested, it is just a matter of time before hackers find ways around these measures. In fact, it could be argued that the GSM technology is the most secure, globally accepted wireless system, with public standard to date. The system could be made more secured by implementing appropriate security measures in certain areas of system management – compliance and governance. Adequate and proper management of user identities in open systems networks is crucial in providing better security and improve efficiency. Identity management (IDM) requires an integrated and often complex infrastructure where all parties involved, must be trusted for specific purposes and satisfaction gained depending on their role and function. The future may be, is in the direction of User-Centric ID management. However, in this paper, many algorithms have been implored to demonstrate the mechanisms of security in the GSM specification in order that some level of security is maintained in the cellular telecommunications system process. Also, other flaws such as exist in COMP128 and A5/1 have been examined, these vulnerabilities give access to attackers to mimic, scan and intercept contents - conversations and/or text messages for dubious purposes. Some measures have also been explored to an extent, in plugging the loopholes. Imploring new technologies such as UMTS and other improved algorithm will in future take care of the security weakness in GSM technology. Furthermore, with new developments in the GSM technologies, easily detected and recorded IME and SIM technologies, together with well managed International Standards and agreements it is very likely that, more secure methods will be developed and used in 3G and 4G mobile network environments to give it added improved security, that would also bring added benefits of improved user confidence and reduce device theft and fraud. 5. References Arreymbi, J. (2002), Issues in Delivering Multimedia Content to Mobile devices, In Proceedings of the 6th International 7

Modern Applied Science

Vol. 2, No. 6 Conference on Information Visualization. IEEE, Computer Society, London 2002. Biryukov, Shamir, Wagner, Real Time http://www.cs.berkeley.edu/~daw/papers/a51-fse00.ps

Cryptanalysis

of

A5/1

on

a

PC,

Charles Brookson, Can you clone a GSM Smart Card (SIM)? July 2002, http://www.brookson.com/gsm/clone.pdf Chengyuan Peng, GSM and GPRS http://www.tml.hut.fi/Opinnot/Tik-110.501/2000/papers/peng.pdf

security,

(24th

Oct.

2004)

Comparison of Airlink Encryptions, 2003, Dimitris N. Chorafas, (1997), High Performance Networks, Personal Communications and Mobile Computing, 109-137, Macmillan Press Ltd. GSM Tutorial, International Engineering Consortium, 2004, http://www.iec.org/online/tutorials/gsm/topic02.html Have the A3 and A8 algorithms http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken-security.shtml

been

broken?

How is encryption utilized in GSM? 2004, http://www.gsm-security.net/faq/gsm-encryption.shtml http://www.dcs.warwick.ac.uk/~esvvv/docs/specification_10-10-03.pdf http://www.gsm-security.net/faq/gsm-ki-kc-rand-sres.shtml http://www.qualcomm.com/technology/1xev-do/webpapers/wp_Airlink_Encryption.pdf International Telecommunication Union (ITU) http://www.itu.int/ITU-D/ict/publications/africa/2004.

(2004),

African

Telecommunication

Indicators

2004.

James Arlin Cooper, 281-401, (1989), Computer and Communications Security, Strategies for the 1990s, McGraw-Hill Book Company. Jeremy Quirke, Security in the GSM system, May 2004 Paul Montague and Rai Safavi-Naini, Eds, (2005), Security workshop 2005, Conferences in Research and Practice in Information Technology, Vol. 44, Australian Computer Society, Inc. Priyanka Agarwal, Security of GSM System, Jan. 2005, Distribution Source: Article Warehouse. Secure Mobile Communication, Oct. 2003, SIM card, GSM system, Chapter 7, http://www.mc21st.com/techfield/systech/gsm/g7-4.htm Srinivas, The GSM Standard (An overview of its security), Oct. 2004, http://www.sans.org/rr/papers/index.php?id=317 Today's GSM, 2005, http://www.gsmworld.com/technology/gsm.shtml What are Ki, Kc, RAND, and SRES? What is an IMEI? 2004, http://www.gsm-security.net/faq/imei-international-mobile-equipment-identity-gsm.shtml Yong LI, Yin CHEN, Tie-Jun MA, Security in GSM, 2003, http://www.gsm-security.net/papers/securityingsm.pdf

Table 1. The format of IMEI [9]

8

AA

Country Code

BBBB

Final Assembly Code

CC

Manufacturer Code

DDDDDD

Serial Number

E

Unused

Modern Applied Science

November, 2008

Authentication

GSM Network

Anonymity

Vectors

Ciphering

PIN

Figure 1. Proposed Model for improve GSM Security

Figure 2. A3 algorithm [6]

Figure 3. A8 algorithm [6]

Figure 4. A5 algorithm [6]

9

Modern Applied Science

Vol. 2, No. 6

Figure 5. Allocating a new TMSI [6]

Figure 6. Allocating a new TMSI [6]

10